[Zope] Zope PAS for pubcookie authentication

cristopher pierson ewing cewing at u.washington.edu
Tue Nov 21 18:06:14 EST 2006


On Tue, 21 Nov 2006, Jens Vagelpohl wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 21 Nov 2006, at 22:52, cristopher pierson ewing wrote:
>> Pubcookie sets up a situation using an apache module where requests to 
>> protected URLs get forwarded to an auth server where username and password 
>> are checked, and a cookie is set containing the username.  There is an 
>> additional apache mod called mod_fba (fake basic authentication) which then 
>> takes the information returned by the pubcookie server and packages it as 
>> if it were a basic authentication, setting the login to the username 
>> returned by pubcookie.
>
> I don't know how mod_fba works, but you seem to imply that for Zope, running 
> behind Apache, the result looks just like standard Basic auth. Since this is 
> already supported, why do you think you need your own plugin for extracting 
> the credentials?
The only reason is that I need to skip checking for a password, but that 
appears to be handled by the authenticateCredentials method.  I'll kill 
off my extraction method since it does nothing


>
>> I've started messing with this all by using the PASPlugins plugin called 
>> apachepas as a base.  It seemed a good place to start as the authentication 
>> piece is handled by apache.
>> 
>> Apachepas defines two plugins, an ExtractionPlugin and an AuthPlugin.  The 
>> extraction plugin as I've rewritten it contains the following method:
>>
>>  def extractCredentials(self,request):
>>    """
>>    extract credentials
>>    """
>>    user_id = request.getHeader('REMOTE_USER', None)
>>    if not user_id:
>>      return None
>>    return {'user_id': user_id}
>
> If mod_fba sets standard Basic auth headers you will not need this, matter of 
> fact this code will never yield any results since the REMOTE_USER header has 
> nothing to do with Basic auth, and won't be there at all.
Yep, you are right here.  Sorry about that.  I'm working from some older 
code that used a product called 'RemoteUserAuth' to insert the 
'REMOTE_USER' header into the environment using an overwritten 
get_environment() method from the HTTPRequest object (I think).  All of 
that stuff can be found at http://www.washington.edu/webinfo/cases/zope 
where they outline a method for using pubcookie with zope.  Their method 
seems to be out-of-date, though.  It doesn't work with PAS at all.


>
>> The AuthPlugin as I've rewritten it contains the following method:
>>
>>  def authenticateCredentials(self, credentials):
>>    """See IAuthenticationPlugin.
>>    """
>>    user_id = credentials.get('login', None)
>>    if user_id is None:
>>      return None
>>    return user_id, user_id
>> 
>> Now, here's my first question.  Astute observers may notice that the name 
>> for the login name in the credentials used by authenticateCredentials is 
>> different than the name set for the login in extractCredentials.  This is 
>> because when I peeked at the credentials passed in to 
>> authenticateCredentials, it appears to be using a different set of 
>> credentials than I set.  I'm thinking I must be missing a step in there 
>> somewhere, but I don't know what it is.  Is there some method being called 
>> somewhere that takes the {'user_id': user_id} tuple returned by 
>> extractCredentials and repackages it into a credentials tuple that looks 
>> like this:
>> 
>> {'extractor': 'credentials_basic_auth', 'login': 'myname', 'password': 
>> 'password', remote_host': '', 'remote_address': 'some.address.com'}?
>
> As the mapping tells you, the plugin responsible for getting these 
> credentials is "credentials_basic_auth", which is most likely a 
> HTTPBasicAuthHelper plugin, and you will see it right in your 
> PluggableAuthService object.
Again, you are right.  The only question I have remaining is how the 
'extractor' key in the credentials gets set.  I've looked up the interface 
for this method, and looked up the method being used in the 
HTTPBasicAuthHelper.py file, and the tuple that method returns, called 
'cred' doesn't contain such a key.  I'm just curious here, trying to get a 
handle on the logical flow of the authentication process.  My PAS plugin 
works well with only an authenticateCredentials method.

>> Third question:
>> How do plugins get selected for PAS tasks like extraction?  Is there a way 
>> to force the selection of my tool?  or would that break everything?
>
> Your tool is being selected, it just does the wrong thing. Get rid of your 
> extractor.
Absolutely right.  Thanks for the help, jens!  Sorry to trouble.


> jens
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFFY4EWRAx5nvEhZLIRAmF9AJ9ONXjbrLun/aK0RkDUK71qC+iZLwCfXFCr
> puHJeSTgQLppO9s+qDKqlG8=
> =eO20
> -----END PGP SIGNATURE-----
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )


More information about the Zope mailing list